Delivery-Date: Wed, 19 Aug 2015 13:48:13 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 48EAD1E0D00;
	Wed, 19 Aug 2015 13:48:04 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 16C1F3682A;
	Wed, 19 Aug 2015 17:38:54 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 981853681A
 for <tor-talk@lists.torproject.org>; Wed, 19 Aug 2015 17:38:50 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 8rQ60hofQllJ for <tor-talk@lists.torproject.org>;
 Wed, 19 Aug 2015 17:38:50 +0000 (UTC)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204])
 (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id 78D5736815
 for <tor-talk@lists.torproject.org>; Wed, 19 Aug 2015 17:38:50 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org;
 s=mail2; 
 h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date;
 bh=IBQFiThqVDwIA5Gx892zY4u3PxBvLHhBkZHxo3iCZQ0=; 
 b=puybDefzeJx/yXcpY4XV+pF4q43n5rLErG1d+0jW82YbkZKCI1dllOjK4tP/7bzq1x27ngyFGZY1Q9m07yfR87cvY4a8tkzSGuC8PseCu1os/ZxOyv2QpcDj1/NvIpcVKhvgynUPZsGhQbn0HKjXq5AK6MDokogfKSFEf5SaKus=;
Received: ; Wed, 19 Aug 2015 10:38:48 -0700
Date: Wed, 19 Aug 2015 10:38:48 -0700
From: Seth David Schoen <schoen@eff.org>
To: tor-talk@lists.torproject.org
Message-ID: <20150819173848.GU9483@mail2.eff.org>
References: <55D45D3B.3070401@infosecurity.ch>
 <6236877.Gj4QCOByHe@zwergal-hp-pavilion-g6-notebook-pc>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <6236877.Gj4QCOByHe@zwergal-hp-pavilion-g6-notebook-pc>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [tor-talk] Letsencrypt and Tor Hidden Services
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

elrippo writes:

> Hy,
> i don't think letsencrypt will work on a HS because letsencrypt checks [1] if the domain you type in, is registered.
> So for example on a clearnet IP which has a registered domain at mydomain.com called myserver.tld, letsencrypt makes a DNS check for this clearnet IP and gets the awnser, that this clearnet IP has a registeres domain called myserver.tld on mydomain.com.
> 
> How should letsencrypt do this on a HS?

If the CA/Browser Forum agreed that it was proper to do this, we could
create a special case for requests that include a .onion name to use
a different (non-DNS) resolution mechanism, recognizing "that DNS is
not the only name resolution protocol on the Internet", as Christian
Grothoff put it.

I can't promise that Let's Encrypt would do this, but I think we would
be interested in the possibility.

In a way, the special-casing is what makes some folks in the CA/Browser
Forum nervous right now: if there's no "official" notion of the meaning
of some names, how can CAs know which names should use which resolution
mechanisms?  (For example, maybe some CAs have heard that they should
treat .onion specially, but others haven't.)  If they're unsure which
mechanisms to use, how can they know that the interpretation they give
to the names will be the same as end-users' interpretation?

-- 
Seth Schoen  <schoen@eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
815 Eddy Street, San Francisco, CA  94109       +1 415 436 9333 x107
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

